Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:96443
HistorySep 12, 2017 - 12:00 a.m.

Microsoft Edge Content Security Bypass Vulnerability

2017-09-1200:00:00
Root
www.seebug.org
42

0.007 Low

EPSS

Percentile

77.2%

JSON

Summary

An exploitable information leak vulnerability exists in the Content Security Policy enforcement functionality of Microsoft Edge 40.15063.0.0. A specially crafted web page can cause a content security policy bypass resulting in an information leak. An attacker can create a malicious webpage to trigger this vulnerability.

Tested Versions

Microsoft Edge 40.15063.0.0

Product URLs

https://www.microsoft.com/en-us/windows/microsoft-edge

CVSSv3 Score

4.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-284: Improper Access Control

Details

An attacker can bypass the Content-Security-Policy header that is used to make the browser protect against information leakage from a web site.
By loading a new document using window.open(β€œβ€,β€œ_blank”) and document.write-ing into it, (being in about:blank) an attacker can circumvent the CSP restrictions put on the document that the original page’s Javascript code was running on and reach out to other sites. One could argue that the code was loaded with unsafe-inline in the CSP header, but that should still block any cross-site communication (e.g. 1x1px tracking image etc).
The about:blank page has the same origin as its loading document, but CSP restrictions have been removed. The spec is pretty explicit that the CSP restrictions should be inherited: https://w3c.github.io/webappsec-csp/#initialize-document-csp.
Tests show that e.g. Firefox does not show this behavior, but rather makes the new document inherit CSP from its loading document. This vulnerability was also present in Apple Safari (CVE-2017-2419) and Google Chrome (CVE-2017-5033) and was corrected there.

Timeline

  • 2016-11-29 - Initial vendor contact by Nicolai
  • 2016-12-01 - Vendor confirms receipt
  • 2017-01-04 - Follow up with Vendor
  • 2017-01-04 - Vendor confirms reproduction
  • 2017-03-06 - Follow up with Vendor
  • 2017-03-07 - Vendor says this is by design and does not consider it a vulnerability
  • 2017-03-07 - More information provided to vendor
  • 2017-03-29 - Talos involvement, asks vendor to reconsider
  • 2017-06-06 - Follow up with vendor
  • 2017-06-07 - Vendor reopens case to reconsider
  • 2017-08-22 - Vendor informed about pending release date
  • 2017-09-06 - Public Release

CREDIT

  • Discovered by Nicolai GrΓΈdum of Cisco.

Related

talosblog 1
talos 1
debiancve 2
cve 2
ubuntucve 2
prion 2
redhatcve 1
nessus 17
ubuntu 2
openvas 13
archlinux 2
suse 2
freebsd 1
debian 2
redhat 1
osv 1
mageia 2
gentoo 2
chrome 1
fedora 3
apple 4
talosblog
talosblog
Vulnerability Spotlight: Content Security Policy bypass in Microsoft Edge, Google Chrome and Apple Safari
2017-09-06 11:18:00
talos
talos
Microsoft Edge Content Security Bypass Vulnerability
2017-09-06 00:00:00
debiancve
debiancve
CVE-2017-2419
2017-04-02 01:59:00
CVE-2017-5033
2017-04-24 23:59:00
cve
cve
CVE-2017-2419
2017-04-02 01:59:00
CVE-2017-5033
2017-04-24 23:59:00
ubuntucve
ubuntucve
CVE-2017-5033
2017-03-10 00:00:00
CVE-2017-2419
2017-04-01 00:00:00
prion
prion
Design/Logic Flaw
2017-04-24 23:59:00
Authentication flaw
2017-04-02 01:59:00
redhatcve
redhatcve
CVE-2017-5033
2017-03-10 09:19:15
nessus
nessus
Ubuntu 14.04 LTS / 16.04 LTS : Oxide vulnerabilities (USN-3236-1)
2017-03-30 00:00:00
FreeBSD : chromium -- multiple vulnerabilities (a505d397-0758-11e7-8d8b-e8e0b747a45a)
2017-03-13 00:00:00
openSUSE Security Update : Chromium (openSUSE-2017-353)
2017-03-20 00:00:00
ubuntu
ubuntu
Oxide vulnerabilities
2017-03-29 00:00:00
WebKitGTK+ vulnerabilities
2017-04-10 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-3236-1)
2017-03-30 00:00:00
Google Chrome Security Updates (stable-channel-update-for-desktop-2017-03) - Windows
2017-03-10 00:00:00
openSUSE: Security Advisory for Chromium (openSUSE-SU-2017:0738-1)
2017-03-18 00:00:00
archlinux
archlinux
[ASA-201703-4] chromium: multiple issues
2017-03-11 00:00:00
[ASA-201704-9] webkit2gtk: multiple issues
2017-04-28 00:00:00
suse
suse
Security update for Chromium (important)
2017-03-18 00:09:23
Security update for Chromium (important)
2017-03-18 00:08:56
freebsd
freebsd
chromium -- multiple vulnerabilities
2017-03-09 00:00:00
debian
debian
[SECURITY] [DSA 3810-1] chromium-browser security update
2017-03-15 12:29:29
[SECURITY] [DSA 3810-1] chromium-browser security update
2017-03-15 12:29:29
redhat
redhat
(RHSA-2017:0499) Important: chromium-browser security update
2017-03-14 06:03:42
osv
osv
chromium-browser - security update
2017-03-15 00:00:00
mageia
mageia
Updated webkit2 packages fix security vulnerability
2017-04-16 09:29:12
Updated chromium-browser-stable packages fix security vulnerability
2017-04-21 10:24:22
gentoo
gentoo
Chromium: Multiple vulnerabilities
2017-04-10 00:00:00
WebKitGTK+: Multiple vulnerabilities
2017-06-07 00:00:00
chrome
chrome
Stable Channel Update for Desktop
2017-03-09 00:00:00
fedora
fedora
[SECURITY] Fedora 26 Update: qt5-qtwebengine-5.9.0-4.fc26
2017-07-06 22:53:47
[SECURITY] Fedora 25 Update: qt5-qtwebengine-5.9.0-4.fc25
2017-07-12 03:27:41
[SECURITY] Fedora 24 Update: qt5-qtwebengine-5.6.3-0.1.20170712gitee719ad313e564.fc24
2017-07-23 21:52:43
apple
apple
About the security content of Safari 10.1
2017-03-27 00:00:00
About the security content of Safari 10.1 - Apple Support
2017-08-29 02:51:42
About the security content of iOS 10.3 - Apple Support
2017-08-01 06:52:17

0.007 Low

EPSS

Percentile

77.2%

JSON
Related for SSV:96443
talosblog1talos1debiancve2cve2ubuntucve2prion2redhatcve1nessus17ubuntu2openvas13archlinux2suse2freebsd1debian2redhat1osv1mageia2gentoo2chrome1fedora3apple4